Apache Struts team fix critical flaw in latest release

Remote command execution vulnerability now cleared up in newest version. But is this one time too many?

Developers behind open source web framework Apache Struts, which
has become a popular choice for creating Java web-based
applications, have released an update to secure a critical hole in
the software.

Details within an advisory reveal how
this was possible, by
invoking java.lang.Runtime.getRuntime().exec() to run an
arbitary command. The fix covers Struts versions 2.0.0 to
2.3.1.1

This isn’t the first time that Struts has been at the mercy of
previous OGNL problems reported back in 2008
and 2010 that
allowed for malicious Java code manipulation and deployment.
Bloggers were quick to pick up on the issues. Previous
form suggests that this problem will keep cropping up in future
versions, if it is so easy to get around.

Developers using the framework have been strongly advised to
update to 2.3.1.2 to combat this problem as soon as possible. Those
using Maven have been provided the details they need to configure
the update within the release
notes.